EASEAndroid: Automatic Policy Analysis and

Refinement for Security Enhanced Android

via Large-Scale Semi-Supervised Learning

Ruowen Wang1,2, William Enck2, Douglas Reeves2, Xinwen Zhang1,

Peng Ning1,2, Dingbang Xu1, Wu Zhou1, Ahmed M. Azab1

1Samsung KNOX R&D, Samsung Research America2North Carolina State University

Security Enhanced Android

2

“Multiple vulnerabilities have been prevented since we introduced SELinux”

--Android Official Blog, October 28, 2014

“SEAndroid prevents first exploit against commercial phone”

--http://securityblog.org/2013/04/30/SE-Android-and-the-motochopper-exploit/

The Core of SEAndroid: Policy

“Vendors don’t know how to write policies”--@pof “Defeat SEAndroid” at Defcon 2013

3

AVC??

Policy Language

• Security labels <=> Concrete Subjects/Objects

app_data_file <=> /data/data/.*

• Allow rules grant benign operations

allow appdomain app_data_file:file

{read write execute}

• Neverallow rules define privilege escalation

neverallow untrusted_app init:file

{read} (Compile-Time)

4

SEAndroid Policy Challenges

• Require Complete Redesign of Policy

– Android is different from traditional Linux

• Require Policy Analysts to Have Both

– Domain Knowledge (Allow Benign Accesses)

– Security Expertise (Prevent Malicious Accesses)

• Require Continuous Refinements

– New Android releases

– New attacks5

How to Refine?

Analyze Audit Log

• Audit Log– Log access events not matched with allow rules

– Analysts parse the logs to refine policy

• Information in one access event

– Security labels of the denied access

– Syscall Subject Info (e.g. process)

– Syscall Object Info (e.g. file path)

• We model as 6-tuple access pattern– <sbj, sbj_label, perm, tclass, obj, obj_label>

6

Real-World Challenges

• Millions of such audit logs

• Unknown new benign & malicious access

patterns mixed together

• Continuous efforts due to Android updates and

emerging new attacks

7

EASEAndroid

• Elastic Analytics of SEAndroid

• Features:

1. Analyze audit logs in a large scale

2. Classify new benign & malicious access patterns

3. Propose new security labels and rules as policy

refinements

• Key insight:

– Model policy refinement as semi-supervised

learning8

Key Insight

9

Audit Logs

Existing Policy & Known Access Patterns

Learning Unknown based on Semantic Correlations

Known <=> Unknown

(Semi-Supervised Learning)

+

: Known Access Pattern: sbj

: <perm, tclass>: obj

: benign_ : malicious

: New Access Pattern

Analyze

Merge

allow

neverallow

++ _

_

EASEAndroid Architecture

10

NN Classifier

+ +

+allow neverallow

+

++ _

_

_

Pattern-to-Rule Distance Measurer

Audit Logs

Learning Balancer & Combiner

Refined PolicyPolicy

RefinementGenerator

Feedback & Merge to Learn More Knowledge Iteratively

_++

_

+

_allow

neverallow

...

+

: Known Access Pattern: sbj

: <perm, tclass>: obj

: benign_ : malicious

: New Access Pattern Merge refined policy once confirmed (optional)

Existing Policy & Known Access Patterns

allow

neverallow

..._+

+ _

2

3

1

...

2 31

0.9

0.2

0.8 0.1

0.1

0.05

1

1

1

Co-Occurrence Learner

Nearest-Neighbor (NN) Classifier

• Observation

– Known sbjs perform new access patterns

• Android apps/binaries update with new features

– New sbjs perform known access patterns

• Exploit kits share malicious access patterns

• NN Classifier identifies connections between

– Known subjects <=> New access patterns

– New subjects <=> Known access patterns

11

12

Known & unknown exploit kits share the same /dev/graphics/fb exploit

Pattern-to-Rule (P2R)

Distance Measurer

• Observation

– New access patterns close to existing incomplete

rules are the missing parts of those rules

• Decision-Tree-based Approach

– Classified as benign if closest to allow

– Classified as malicious if closest to neverallow

– Remain unclassified if far from both sides

13

Decision-Tree-Based P2R

14

untrusted_app

app_data_file

shell_data_filesdcard_file

system_file

imei_efs_file

file

dir

blk_file

chr_file

openread

write

append

executelow_sensitive_data

high_sensitive_data

common_file

special_file

read_like_perm

write_like_perm

execute_perm

<untrusted_app, sdcard_file, dir, read>

Co-Occurrence Learner

• Observation

– A functionality or an attack often involve a series

of access patterns captured together

• Co-Occurrence Learner

– Infer new access patterns based on known

access patterns if they co-occur together

15

2

3

1

...

2 3 ...1

0.9

0.2

0.8 0.1

0.1

0.05

1

1

1

Learning Balancer & Combiner

• Manage thresholds of each learner

• Combine results to expand knowledge base

• Balance precision and coverage

– Automated Mode (high precision)

– Semi-Automated Mode (high coverage)

16 NN Classifier

+ +

+allow neverallow

+

++ _

_

_

Pattern-to-Rule Distance Measurer

Audit Logs

Learning Balancer & Combiner

Refined PolicyPolicy

RefinementGenerator

Feedback & Merge to Learn More Knowledge Iteratively

_++

_

+

_allow

neverallow

...

+

: Known Access Pattern: sbj

: <perm, tclass>: obj

: benign_ : malicious

: New Access Pattern Merge refined policy once confirmed (optional)

Existing Policy & Known Access Patterns

allow

neverallow

..._+

+ _

2

3

1

...

2 31

0.9

0.2

0.8 0.1

0.1

0.05

1

1

1

Co-Occurrence Learner

Policy Refinement Generator

• Suggest new security labels and rules

• Group sbjs/objs together based on existing

coarse-grained labels

• Infer fine-grained labels and encode into rules

17

NN Classifier

+ +

+allow neverallow

+

++ _

_

_

Pattern-to-Rule Distance Measurer

Audit Logs

Learning Balancer & Combiner

Refined PolicyPolicy

RefinementGenerator

Feedback & Merge to Learn More Knowledge Iteratively

_++

_

+

_allow

neverallow

...

+

: Known Access Pattern: sbj

: <perm, tclass>: obj

: benign_ : malicious

: New Access Pattern Merge refined policy once confirmed (optional)

Existing Policy & Known Access Patterns

allow

neverallow

..._+

+ _

2

3

1

...

2 31

0.9

0.2

0.8 0.1

0.1

0.05

1

1

1

Co-Occurrence Learner

Implementation

• 8-node Hadoop Cluster, 256 GB Memory.

• Distributed SQL on HDFS.

• SLOC: 10K Java + 5K Cloudera Impala

18

Evaluation

• RQ1: How is the coverage and precision of

EASEAndroid? What are the effects of different

threshold settings?

• RQ2: How is a policy refinement generated? What is

the difference compared to human-written policy?

• RQ3: What kinds of new malicious patterns are

discovered by EASEAndroid?

19

Evaluation

• Audit Log Dataset

– 1.3M logs from real-world Samsung devices with Android

4.3 over 2014 (collected anonymously with user consent)

– 145K unique access events and generalized into 3530

access patterns

• Initial Knowledge

– An early version policy, 9 confirmed exploit kits

• Ground Truth

– A later version of human-refined policy

– Consult with experienced policy analysts20

EvaluationCoverage & Precision

21

74%

NN Classifier Threshold

Pattern-to-Rule Threshold

Co-Occurrence Threshold

ClassifiedMalicious(TP+FP)

ClassifiedBenign (TN+FN)

Remain Unclassified

σ = 55% Dist ≤ 2 cij > 0.55 77.2% 14.0% 8.8%

σ = 65% Dist ≤ 1 cij > 0.65 70.0% 11.8% 18.2%

σ = 75% Dist ≤ 1 cij > 0.75 65.7% 10.9% 23.4%

σ = 85% Dist ≤ 0 cij > 0.85 63.9% 10.5% 25.7%

σ = 95% Dist ≤ 0 cij > 0.95 53.1% 9.2% 37.7%

22

EvaluationDifferent Thresholds (Coverage)

NN Classifier Threshold

Pattern-to-Rule Threshold

Co-Occurrence Threshold

True Malicious (TP)

False Malicious (FP)

TrueBenign (TN)

FalseBenign(FN)

σ = 55% Dist ≤ 2 cij > 0.55 62.96% 37.04% 58.65% 41.35%

σ = 65% Dist ≤ 1 cij > 0.65 88.73% 11.27% 71.35% 28.65%

σ = 75% Dist ≤ 1 cij > 0.75 91.35% 8.65% 88.92% 11.08%

σ = 85% Dist ≤ 0 cij > 0.85 96.81% 3.19% 90.81% 9.19%

σ = 95% Dist ≤ 0 cij > 0.95 97.27% 2.73% 100.00% 0.00%

23

EvaluationDifferent Thresholds (Precision)

EvaluationRefinement Example

<surfaceflinger, {open…}, file, /data/misc/zoneinfo/*, system_data_file>

<dhcpcd, {open…}, file, /data/misc/zoneinfo/*, system_data_file >

<pppd, {open…}, file, /data/misc/zoneinfo/*, system_data_file >

<vendor_daemon, {open…}, file, /data/misc/zoneinfo/*, system_data_file >

=>

/data/misc/zoneinfo/* u:object_r:zoneinfo_file:s0

attribute access_zoneinfo_domain;

typeattribute surfaceflinger access_zoneinfo_domain;

......(same for other 3 system daemons)

allow access_zoneinfo_domain zoneinfo_file:file {open

read};

24

EvaluationComparison with Human-written Policy

• 336 benign access patterns, 51 policy rules

• All rules semantically match human rules

• EASEAndroid: Fine-grained + Evidence– allow access_zoneinfo_domain

zoneinfo_file:file {open read};

• Human: Coarse-grained + Macro– allow system_domain zoneinfo_data_file:file

rw_file_perms;

25

EvaluationMalicious Access Patterns by EASEAndroid

• {read,write} files in /dev/graphics, /dev/block, /dev/exynos-mem,

/dev/mem

• {dac_override,chown,fsetid} capability in /data/data, /data/local,

/data/misc, /data/system, /sdcard

• {create,write,unlink} files in /system/app, /system/bin,

/system/xbin, /system/etc

• {read,write} files in /sys/block, /sys/devices, /sys/fs, /sys/kernel

• {read,write} files in /proc/sys, /proc/pid/environ|exe|mem

• {kill,sys_admin,sys_ptrace,sys_chroot,setuid,setgid} capability

• {transition,dyntransition} process

• {connectto} unix sockets of privileged daemons directly

EvaluationAttacks against SEAndroid

• Manipulate files under /sys/fs/selinux

• Inject allow rules into policy

• Transition to privileged domain

• Modify struct cred by exploiting kernel

27

Limitations

• Information missed by audit logs

– High-level semantics in Android framework

• Countermeasure against EASEAndroid

– Data poisoning attacks

• Unclassified access patterns

– Human can interact with EASEAndroid by adding

extra knowledge

28

Conclusion

• SEAndroid policy development and refinement is

challenging

• We propose EASEAndroid, an analytic system to

refine the policy based on semi-supervised

learning

• Big Data/Machine Learning is promising for

security policy development & management

29

Thank you for your time!

Q & A

30